Main menu

Some thoughts on Hidden Services

I ought to post my own responses to that Andy Greenberg article, too. (Especially since most everybody else around here is at 31c3 right now, or sick with the flu, or both.)

When I saw the coverage of the hidden services study that was presented at CCC today, I was reminded of the media fallout from that old study from the 1990s that "proved" that a ridiculously high fraction of the internet was pornography...by looking at Usenet*, and by counting newsgroups and bytes. (You might remember it; it was the basis of the delightful TIME Magazine "Cyberporn" cover.)

The 1990s researcher wasn't lying outright, but he and the press *were* conflating one question: "What fraction of Usenet groups are 'alt.sex' or 'alt.binaries' (file posting) groups" with two others: "What fraction of internet traffic is porn?" and "What fraction of internet-user hours are spent on porn?"

These are quite different things.

The presentation today focused on data about hidden service types and usage. Predictably, given the results from Biryukov, Pustogarov, Thill, and Weinmann, the researcher found that hidden services related to child abuse are only a small fraction of the total number of hidden service addresses on the network. And because of the way that hidden services work, traffic does not go through hidden service directories, but instead through rendezvous points (randomly chosen Tor nodes): so no relay that knows the hidden service's address will learn the actual amount of traffic transmitted. But, as previously documented, abusive services represent a disproportionate fraction of usage... if you're measuring usage with hidden service directory requests.

Why might that be?

First, some background. Basically, a Tor client makes a hidden service directory request the first time it visits a hidden service that it has not been to in a while. (If you spend hours at one hidden service, you make about 1 hidden service directory request. But if you spend 1 second each at 100 hidden services, you make about 100 requests.) Therefore, obsessive users who visit many sites in a session account for many more of the requests that this study measures than users who visit a smaller number of sites with equal frequency.

There are other confounding factors as well. Due to bugs in older Tor implementations, a hidden service that is unreliable (or completely unavailable) will get many, many more hidden service directory requests than a reliable one. So if any abuse sites are unusually unreliable, we'd expect their users to create a disproportionately large number of hidden service directory requests.

Also, a very large number of hidden service directory requests are probably not made by humans! See bug 13287: We don't know what's up with that. Could this be caused by some kind of anti-abuse organization running an automated scanning tool?

In any case, a methodology that looks primarily at hidden service directory requests will over-rate services that are frequently accessed from a Tor client that hasn't been there recently, and under-rate services that are used via tor2web, and so on. It also depends a lot on how hidden services are configured, how frequently Tor hidden service directories go up and down, and what times of day they change introduction points in comparison to what time of day their users tend to be awake.

The greater the number of distinct hidden services a person visits, and the less reliable those sites are, the more hidden service directory requests they will trigger.

Suppose 10 people use hidden services to look at conspiracy theories, 100 people use hidden services to buy Cuban cigars, and 1000 people use it for online chat.

But suppose that the average cigar purchaser visits only one or two sites to make purchases, and the average chat user joins one or two networks, whereas the average conspiracy theorist needs to visit several dozen forums and wikis.

Suppose also that the average Cuban cigar purchaser makes about two purchases a month, the average chat user logs in once a day, and the average conspiracy theorist spends 3 hours a day crawling the hidden web.

And suppose that conspiracy theory websites come and go frequently, whereas cigar sites and chat networks are more stable.

In this analysis, even though there are far more people buying cigars, users who use it for obsessive behavior that spans multiple unreliable hidden services will be far overrepresented in the count of hidden service directory requests than users who use it for activities done less frequently and across fewer services. So any comparison of hidden service directory request counts will say more about the behavioral differences of different types of users than about their relative numbers, or the amount of traffic they generated.

In conclusion, let's spend a minute talking about freedom and philosophy. Any system that provides security on the Internet will inevitably see some use by bad people that we'd rather not help at all. After all, cars are used for getaways, and window shades conceal all kinds of criminality. The only way to make a privacy tool that nobody abuses is to make it so weak that people aren't willing to touch it, or so unusable that nobody can figure it out.

Up till now, many of the early adopters for Tor hidden services have been folks for whom the risk/effort calculations have been quite extreme, since--as I'd certainly acknowledge--the system isn't terribly usable for the average person as it stands. Roger noted earlier that hidden services amount to less than 2% of our total traffic today. Given their privacy potential, I think that's not even close to enough. We've got to work over the next year or more to develop hidden services to the point where their positive impact is felt by the average netizen, whether they're publishing a personal blog for their friends, using a novel communications protocol more secure than email, or reading a news article based on information that a journalist received through an anonymous submission system. Otherwise, they'll remain a target for every kind of speculation, and every misunderstanding about them will lead people to conclude the worst about privacy online. Come lend a hand?

(Also, no offense to Andy on this: he is a fine tech reporter and apparently a fine person. And no offense to Dr. Owen, who explained his results a lot more carefully than they have been re-explained elsewhere. Now please forgive me, I'm off to write some more software and get some sleep. Please direct all media inquiries to the email of "press at torproject dot org".)

* Usenet was sort of like Twitter, only you could write paragraphs on it. ;)

I thoroughly agree that an increased adoption of hidden services (though I very much dislike that term) is a key goal. It would provide both validation and increase diversity, which are valuable attributes. Given the recent expansion of the tor user base and network, that seems like a very achievable goal for the coming year.

Best of luck in the new year.

/Tor user and relay operator.

PS: I think that a rebranding of "hidden services" may be a good idea too. May I suggest: tor service, tor site, tor website, tor web service, onion site, onion site service, and Tor Onion Site Service (TOSS). I prefer the last, as you can use free software at the site to have a FLOSS TOSS. :)
PPS: Happy new year to the tor community.

why is the tor project conflating this researcher with someone else who misinterpreted the data, if you watch his talk he was very clear what the figures meant. attempting to discredit someone who was honest - c'mon nick you're better than that.

Many non-technical citizens around the world are, I suspect, anxious to run Tor nodes. But the barriers for individuals with limited knowledge and resources always seem to be much too high. Can we try to work to change this situation?

Some questions for which I cannot find reliable recent useful answers:

1. Is it a bad idea for someone with no experience setting up or operating a publicly accessible server to try to configure and run a server (running Debian stable on an old PC) dedicated as a slow Tor node? Does updated Debian stable avoid the worst problems with TLS "out of the box", or is further knowledge and effort essential?

2. Is it possible to run a Tor bridge from a residential connection? Could it be useful to do that? What would be the minimal burst/sustained bandwidth?

3. How much can an inexperienced operator do with little or no interaction with untrusted ISP staff? Does it matter much for a slow bridge node if the connection is residential class? Dynamic IP (but effectively unchanging for weeks or months)?

4. Would a SOHO router automatically take care of NAT? Is it too dangerous (to the operator? to users?) to try to put a Tor bridge behind a cheap SOHO router which one must assume (yes?) is shell-shocked or heart-bled or poodled?

5. Any advice on simple IDS or monitoring packages (nagios? arm? tripwire?) from Debian repositories which would be appropriate for modest attempts to secure a server configured as dedicated Tor node? Is it much easier if one anticipates monitoring from the console rather than using ssh? If one wants to try to maintain a healthy server, how important is it to either install X or not?

6. Is there a simple way for non technical individuals to use Tor Browser Bundle to make a useful dedicated Tor bridge running Debian stable behind a SOHO router on a residential connection? If so, what is the simple trick?

7. Any tutorials for individuals who have never configured a website or blog on putting up anonymous blogs/websites as hidden services?

One problem with available documentation is that such tutorials as exist are mostly undated, but we all know that what seemed like a good idea 12 months ago might seem like a bad idea today. Another is that almost all tutorials assume the reader has prior experience operating servers. Educating inexperienced volunteers could be expensive in staff time and effort but could pay off in the long by increasing the number of volunteers with the minimal necessary skills.

Advice to "Sign up and ask on a mailing list" is an instant deal breaker.

Most useful would be a step by step RECENT tutorial for setting up a small slow Tor bridge which you think would work and be useful to some Tor users. Would it be absurd to argue that even if each one only works for a month before being discovered, if many people know how to set up a small slow Tor bridge from their residences, the bandwidth might add up to something useful to people trying to break through national firewalls?

Do you know Louise Mensch (look up her Twitter account)? She is very keen on slandering Tor as a tool that fosters child abuse. I am not a lawyer but some of Louise Mensch's statements seem to be libel in a legal sense. Is there a way to stop her? It is so obvious that Louise Mensch is an anti-privacy extremist. She abuses child pornography as a pretext for her total surveillance ideology.

The problem is not that Louise Mensch doesn't like Tor. She can argue with facts as much as she wants to. Open discussions with respect for each other are always welcomed.

The problem is that she slanders and libels Tor and the Tor Community being active supporters of child abuse. Freedom doesn't include the freedom to libel and slander other people with lies and wrong accusations.

It is clear that Louise Mensch's agenda aims to discredit and demonize Tor and every one involved in its community. She is an extremist because she doesn't respect privacy, anonymity and freedom of innocent people around the world. She wants innocent people to give up their natural human rights. So, she isn't moderate in her political positions. That's why she can be called an extremist who supports total surveillance.

Why bother? You're just giving her more attention - precisely what she wants.

I've not seen her comments regarding Tor, but if her grasp of Tor is as tenuous as her grasp of politics -- then I can't imagine anything she has to say is either relevant or paid much heed by anyone relevant.

* hard for corporate or state-sponsored enemies to permanently extinguish.

Good terminology would stress that the modern USG is playing the role of George III, but equipped with the totalitarian tools and mindset of Orwell's Big Brother, and targeting every human. They have the *power* to do that, but not the *right* to do that. Tor stands for the *rights* of oppressed citizens, against the *powers* of increasingly authoritarian and oppressive governments.

Good terminology would stress the fact that the USA was created by revolutionaries who rudely overthrew the "legal government" (the British sovereign even claimed to rule by divine authorization), and would invoke such positive images from revolutionary history as this:

On the night of Tue/Wed 18/19 Apr 1775, two anons (much later named as Robert Newman and John Pulling) secretly ascended the steeple of North Church in Boston, and briefly unveiled two lanterns, which was the prearranged signal to confederates on the mainland that the "legal government" was moving military forces by water in an attempt to seize a rebel arms cache.

Aren't leak sites modern analogs of the migrating Patriot powder caches? You can't fight a nuclear power with muskets, but just maybe you can oppose it or at least illuminate it with information.

Please, if you can point at any design flaw or bugs in tor let community know it! Otherwise it's the same as to advise not to use state highways. Don't forget that gov agencies do not have there own money but people's taxes.

I'd expect *many* law enforcement agencies scan abuse related hidden services regularly, which inflates the number of requests since scanning scripts that fire up their own tor would not cache lookups.

I consider Dr Owen's discussion about censoring abuse related hidden services willfully naive because any attempt to block abuse related hidden services will merely make it harder for law enforcement to catch them.

First, criminals are caught through their op sec failures. Law enforcement catches many classes of op sec failures by regularly scanning hidden services. At what time of day is the .onion site updated? When is the site down and for how long? Does either suggest a timezone? What software does the site use? What version numbers of that software? Both silk road operators were caught in part through such monitoring of the site.

Second, there is no obligation to make your hidden service identify it's contents without authentication, instead use ordinary login tools or stealth hidden services. Any attempt to blocklist abuse sites would merely push them to adopt authentication, making it impossible to either maintain a blocklist and making it tougher to crawl sites for law enforcement purposes.

In short, there is only one reason to support a blocklist for abuse sites : You want the abuse sites to get away with it.

and lets assume the next step - terrorist nsa agency can't get data so they open their own child abuse hidden service and make it popular in the agency. later they even raid it. it's provocation department work.

Adding blocklist will only by itself be abused because those in control will be too tempted to block things they disagree with.

Tor is supposed to prevent censorship.

The "I want this because of child porn" or "think of the children" are only excuses.

Bad stuff will always exist. In my experience and history, the more forbidden something is the more sought after it will become.

There exist animal abuse sites on clear net. Clear net have huge blocklists. Have the animal sites been blocked? No. Not a single one since I last looked.
Why? Because the excuses mentioned above are politically driven. Used to get elected. Used to get what you want. "I want to monitor all e-mails because think of the children."

Most people do not have the brains or the courage enough to call it for what it is. Bullshit.

Have tor project become corrupt and used to drive through somebody's political or moral views?
Have the developers been pressured by for example their partner (wife, etc)?

The trend seem to indicate that censoring features are coming. That will kill tor.

I certainly can't answer your question, but there's something to be said for putting your virtual eggs in more than one basket. If I2P "has a lot to offer in terms of hidden services", let there be exchange of information, but no premature merger. Let them expand and improve independently. This way, when one of them takes some flak, the other system can well remain unaffected. Tor and I2P, while similar from a bird's eye view (there's at least one nice recent paper somewhere in the Anonbib that compares them), are IMHO different enough to coexist.

Those Lizard people are complete script kiddies. All they would do is damage the Tor network like Anonymous' misguided "opdarknet" shit did. The sites would simply switch to nginx or disable keepalive, prompting the Lizard people to use high bandwidth attacks instead of less Tor-damaging slowloris-type attacks (which rely on keepalive being enabled).

Plus, how do you define "offending sites"? Personally, I think a site selling (excessively powerful) weapons is significantly more harmful and "offending" than a website that shows, say, jailbait or non-nude child modeling. We can all agree that a website focusing on nonconsensual sex with prepubescent children is immoral (even if not everyone agrees on whether or not the image are more immoral than the act of abuse), but the real world is not that black and white. There are always grey areas and if you want to invoke vigilante attacks, you have to be absolutely sure that the target is clear-cut.

At the end of the day though, it's still just images. The majority of abuse is very rarely record, and your time and effort would be better served fighting against the abuse that is not helpfully put online with evidence for all to see.

As @fpietrosanti mentioned at the end of the Garreth's talk, there are only about 30 CP hidden service sites, but many law enforcement agencies around the world track them. Law enforcement has incentive to get updates from these sites as frequently as possible-- if a user of one of these sites makes an OPSEC mistake in a post and then quickly deletes the post, LE would not want to miss that. Additionally, the law enforcement agencies worldwide that track child abuse don't communicate with each other well, so Italian law enforcement needs to set up data-gathering operations independently from UK, US, and Dutch crime bureaus. That adds up to a lot of crawling of very few sites.

As frequently as possible yet to the detriment of other agencies. Without sharing the data that is gathered this heavy scraping traffic may be preventing NCMEC or any equivalent from getting that crucial bit of information. This is certainly not the forum in which to discuss intricacies of the topic but this type of information needs a way to be shared efficiently and quickly within the LE community. INTERPOL recently touched on this: http://www.interpol.int/News-and-media/News/2014/N2014-237

So then how was this study able to ascertain percentages without knowing about every onion site that exists? I guess they (somehow) monitored all requests and then went to the pages themselves to see what they were about?

Sure. Same way as with other enemies of Tor: you stop them by writing blogs dissecting their "arguments", exposing their hypocrisy, revealing (in many cases) their personal financial interest...

"Has there ever been talk between the Tor project and the I2P project about possible merge?"

For a long time, the Tails devs cooperated with i2p devs, and even put i2p into Tails. A few years ago an independent audit uncovered some serious vulnerabilities in i2p, and there were calls to remove i2p from Tails, but I would hope that the i2p developers responded by closing those vulnerabilities. Ideally, the auditors would publicly confirm that the holes have been closed. Assuming that these auditors and the Tails devs now think i2p meets or exceeds the security/anonymity standards of Tails, one way in which i2p could perhaps be useful would be enabling the secure distribution of the latest version of essential Open Source software (such as the latest version of Tails itself.)

"Can't we ask the Lizard people to ddos the offending sites 24/7? Surely their powers can be used for good as well as evil."

I can't speak for "the Lizard people", but I guess they might consider yet another DDOS far too predictable and boooring.

A less unoriginal and far more consequential cyber campaign might permanently cripple both the Democratic and Republican parties, by ensuring that none of their candidates can ever again stand as viable contenders for future Congressional and Presidential elections. How? Easy! Just find all the political dirt in their computer systems and send it to Wikileaks.

I am of course joking. We all know this scheme would never work, because the two Major Parties only field candidates who are scrupulously honest, statesmanlike, and utterly incorruptible. And they never take dirty money or do the bidding of such unpopular corporations as Comcast against the interests of The People. That stuff only happens in Hollywood fiction, where it makes Sony and Comcast some serious moola.

Still, you got me thinking. I once noticed that Go: Washington's map of the Boston campaign (1775) shows a major rebel troop movement right past the town of Walpole, MA (currently the registered address of the Tor Project). And I once came across a catchy ditty which was sung in Massachusetts by Paul Jones's recruiting sergeant, one stanza of which seems perfectly suited for the Lizard squadron:

All you that have had bad masters,
And cannot get your due;
Come, come, my brave boys,
And join with our ship's crew.

"Masters" refers to indentured servitude; the sexist assumption that a pirate crew must consist of "boys" was reflexive in the eighteenth century. Paul Jones was a masterful rebel "privateer", a kind of state-sponsored pirate. In the eighteenth century, privateering was legal under international law when done on behalf of a recognized government, which the rebel Congress certainly was not. So as far as George III was concerned, Jones was nothing but a criminal destined for the hangman's noose. But in Paul Jones's most famous exploit, he confronted the far more powerful British frigate sent to sink his pirate ship, which it did, but while his own ship was sinking, Jones captured the enemy frigate and won the battle. Sweet! (And not unlike what LulzSec did to HB Gary Federal.)

The revolutionary provenance of the recruiting ditty seems to be appropriate in part because in our own century, the USG seems to be recreating rigid class structures, indentured servitude, Writs of Assistance, debtors prisons, recurrent epidemics, a large and unemployable underclass living lives of desperate squalor, and all the other social ills which led to the 1775 revolution, while adding such novelties as ecological calamity, black swans, globally deployed operational nuclear weapons, and endless unwinnable (even undefinable) war, etc. And of course we have all been hearing an awful lot about "pirates" in recent years.

So I respectfully suggest that the Lizard squadron ask themselves: what would Paul Jones do?

One answer is contained in the files the Lizard squadron themselves recently leaked from Sony, showing that CIA maintains close ties with Hollywood. One of the most intriguing revelations there was that the USG apparently nixed a Sony film script, authored by the well known author of many "military realism" novels. The reason was that the fictional scenario in the film script was so terrifyingly plausible that the USG feared that it could easily play out in real life, with devastating consequences.

Indeed, I consider that the US nuclear security vulnerabilities portrayed in the script are entirely accurate-- the author must have carefully read the Drell report-- and even worse, they cannot be fixed (for less than many trillions of dollars spread over ten years).

The suppressed film script is based on a fact ripped from the headlines: the government of Israel (and the USG) are terribly concerned about the Iranian bomb project. The ingenious fictional twist is that (in the script) the Israeli PM realizes that an Iranian bomb is only intolerable if it is an operational weapon (not just bomb components which are never actually brought together in the same place, or assembled), and that the best way to persuade the Iranians not to make an operational nuke is to have Israeli commandos (pretending to be ISIL guerrillas) steal an operational *American* weapon.

In the unpublished film script, the "ISIL guerrillas" steal an operational US warhead not to use it as a nuclear weapon, but to threaten to use it as a dirty bomb. That extortionate detail is also amazingly realistic; no wonder the US nixed the film, even though, in the script, the SEALS save the day.

Who knew that the USG was censoring "absurd" Hollywood film scripts on the grounds that they suggest effectual plots to "naughty people"?

The reason I was so astonished by the key fictional premise in the censored film script, that someone might attempt to influence the *Iranian* bomb project by stealing an operational *American* weapon, was that I've thought about these issues for years, and I think that implausible fiction just might be factually defensible in real life.

As everyone knows, Israel has all the components needed to make operational weapons, but they don't keep operational weapons lying around, because they appreciate better than other nations that the biggest reason why nukes are nasty is that if you keep operational weapons deployed long enough, sooner or later your worst enemy will steal one (or one will detonate accidentally). The point of stealing a US nuke (while pretending to be ISIL), and ensuring that critical components are quickly recovered (while pretending the "ISIL" operation has "failed"), would be get the nuclear powers talking seriously about dismantling all operational nuclear weapons. That is actually a highly desirable goal which would go a long way toward reducing the danger posed to the entire world by "deterrence missions" using operational nuclear weapons. Maybe FAS should also be asking themselves: what would Paul Jones do?

So what is the detailed and very plausible scenario in the suppressed film script, in which Israeli commandos (pretending to be ISIL guerrillas) steal dozens of US operational nuclear weapons at one go? I think it is plausible enough that I won't say, but anyone who is curious can find it in the Lizard leaks.

I'll just say one other thing: someone told me the US military has itself published media materials which practically beg terrorists to carry out the specific nuclear theft scenario featured in the script. Of course I didn't believe it-- until I checked, and found they are correct: the US military PR machine has publicly disclosed a giant security vulnerability in the handling of the very US nuclear warheads which are most easily converted in a few minutes by lo-tech means into horrendous dirty bombs, and the theft would be not much harder than rushing an armored car when the guard opens the door and steps outside (a favorite scenario in many Hollywood movies about fictional bank heists). Gosh.

Before someone says that the USG protects its rather expensive and very dangerous nuclear weapons with all kinds of deadly defenses: the scary truth is that during certain vulnerable moments, the defenses of the most powerful and sophisticated operational weapons are mostly bluff. In my judgment, a moderately courageous Somali pirate gang led by a resourceful leader of the caliber of Paul Jones could carry out an attack like that portrayed in the film script, and I guess they'd enjoy at least a 20% chance of succeeding. A classic military blunder is assuming that your adversary would ever dare to try something because they'd never realize that it has a real chance of success.

Most historians of the American revolution feel that King George was so incompetent that by his own actions he virtually guaranteed that the colonists would rebel. At times, the astonished observer of the modern American federal government (the utterly unworthy heir to the political traditions established in the 1775 revolution) feels that their idiocies far exceed even those of George III.

During the month of Dec 2012 and the first week of Jan 2015, many news articles (and at least one FBI "Alert" bulletin) appeared which suggest an ongoing media onslaught targeting Tor Project with charges that Tor is assisting banking heists, human trafficking, child porn, cyberespionage campaigns, etc., and further implying involvement in the Sony leaks.

In particular, a half dozen news items describe Gareth Owens' talk in ways which tend to feed anti-Tor hysteria. The only news item I have yet seen which appears to utilize Nick's comments can be found here:

Recent DHS and FBI documents candidly admit that both agencies have been competing with NSA for scarce black hat "hacking" talent. Since many NSA/TAO operatives are enlisted personnel seconded to NSA, it is interesting that FBI has been advertising for black hats in Stars and Stripes:

I again urge Tor Project to consider strategic "political" actions, such as letters to the editor presenting reasons why "ethical hackers" should not consider working USG agencies which are seeking to eradicate the rule of law in American governance, in particular, NSA and FBI. I believe that if the Project can persuade a large fraction of the American STEM (Science/Technology/Engineering/Math) professions not to work for NSA or FBI, we can starve these rogue agencies of the talent they need to continue with "business as usual", at least when it comes to "collect it all" dragnet surveillance and illegal intrusions into computers owned by private citizens (such as the operators of Tor nodes) or companies such as Belgacom.

Don't use Tor. Use Google. At Google, we care deeply about our users privacy and we make sure that your personal data never falls into the wrong hands.
Here's how we protect your privacy,
We use default SSL encryption to prevent your searches from eavsdropping by hackers and random snoops,
We anonymise our IP and cookie data after 9 months
And we don't cooperate with PRISM as Edward Snowden makes out.
Use Google if you want a better search experience and better online privacy.
Remember, Don't be evil.
Kind regards,
John.

lol Google is so evil. You guys funded Tor before and now you are trying to get people not to use it. If that isn't some kind of evil mind game I don't know what is.
People who know don't believe anything you say about privacy, you practically are a USG contractor.

I urge the Tor Project to pay close attention to Marcy Wheeler's ongoing dissection of the release by NSA of heavily redacted versions of some of its annual and quarterly IOB (Intelligence Oversight Board) reports, particularly these two blogs:

Note that a new category of violations appears starting in Q1 2009: computer network exploitation (CNE), i.e. illicit intrusions into computers/servers not owned by NSA. As Wheeler points out, all violations in this category are entirely redacted in each report. The relevance to Tor of this category is of course the massive ongoing illicit intrusions by USG agencies into Tor nodes, which is particularly concerning to Tor (and to some of its USG sponsors, such as parts of the US State Department) when the intrusions target servers offering anonymous political dissident blogs as hidden services.

Two of the most significant quarterly reports from 2009 have been mysteriously omitted, and at the NSA website, one promised report is a broken link. And as several reporters quickly pointed out, the fact that the documents were released (in belated and grudging response to a FOIA request) on Christmas Eve suggests NSA was hoping to bury news items which make it look incompetent or criminal:

One point which Wheeler has not yet commented on but which I think is highly significant, is the unexplained reference in some of the quarterly reports to "tenant organizations" at NSAG (NSA Georgia, a major center of dragnet surveillance and CNE, located on the grounds of Fort Gordon). I caution against assuming this phrase refers to NSA units known to have facilities at NSAG, such as FGS (Signals Intelligence Department) and FG 3223 (Media Exploitation and Analysis, whose activities include attempting to decrypt encrypted media seized by "client" agencies of USIC). I suspect that other US agencies, including some which are not generally regarded as having any connection to intelligence or law enforcement missions, have personnel "embedded" in certain NSA facilities. (It is known that FBI does this, and likely DEA does too. But reporters should look closely at some other large federal agencies). The phrase "tenant organizations" may be the first public hint that this practice is far more extensive than previously suspected.

Perhaps the most interesting quarterly report for the purpose of comparing with enemy operations which were disclosed by Snowden, such as GCHQ's Operation Remation, is Q1 2012. I have not yet seen this report, but Wheeler says that it breaks down the "legal authorities" [sic] which NSA uses to justify dragnet surveillance as follows:

She comments "I wondered, briefly, if that meant NSA was using a secret authority, some new program that egregiously interpreted a law in a way no one could imagine, just like NSA redefined Section 215 and PRTT. But I don’t think that’s right. Rather, I think NSA is making a rather pathetic effort to hide that it uses FISA’s physical search provision to obtain emails and other data 'stored' in the cloud." I think she is on the right track, but that the reason NSA is trying so hard to disguise this particular kind of search is because, I suspect, it is particularly intrusive. I suspect the entirely redacted searches refers to a so far unacknowledged dragnet search of the financial and medical records of individuals or businesses or organizations residing or headquartered in the US, a category which NSA refers to as "US Persons" (USP). If I am correct, it is pertinent that USG agencies such as HHS have required financial and medical "businesses" to

* transfer to cloud storage all personal financial and medical records on their own clients,
* ensure that these records are formated for easy incorporation into unspecified government databases.

In dozens of public statements, including testimony before Congress and arguments by DOJ lawyers in various lawsuits challenging the Constitutionality of NSA's warrantless dragnet surveillance, USG officials have repeatedly claimed that the aging HIPAA (Health Insurance Portability and Accountability Act) and RFPA (Right to Financial Privacy) statutes provide USP's with strong protection against searches of personal financial and medical records. Judges and Congresspersons have repeatedly declined to challenge these claims, which is strange, because anyone who has read the statutes knows that they contain very broad exceptions for "law enforcement" [sic], "national security investigations", and "research". A civil rights lawyer, Jonathan Mayer, has finally taken the trouble to point this out, in a recent Techdirt post:

Last but not least, I notice that Lizard Squad used a Riseup email address to post to tor-talk. That may be alarming to bloggers and activists who use Riseup in the context of another discussion of the newly released IOB reports:

Some news reports on the Sony leak quoted comments from the actor George Clooney, who often plays heroic parts in blockbuster Hollywood movies, but failed to point out that his wife Amal is a real life heroine who does precisely the kind of work which Tor attempts to assist. She is a human rights lawyer who is currently helping to defend three Al Jazeera journalists who are on trial for committing journalism while working in Egypt, and she is currently being threatened with arrest on the charge of committing legal-defense while working in Egypt. Sadly, criticizing the government of Egypt, even in the context of defending your clients in court, is illegal in that country:

Another interesting point about the very broad exceptions in RFPA and HIPAA is that these statutes also give USG agencies broad latitude to disclose the personal information of USPs to foreign organizations. There is nothing in these laws which clearly prohibits, for example, the possibility that NSA might decide to disclose to Russian intelligence the home address of a dissident living in the US who blogs critically about the government of V. Putin. We hope this possibility is remote, but it provides another incentive to blog anonymously behind a Tor HS and to support the Tor Project's fight to protect hidden services.

One reason why it is so important for citizens of FVEY countries to join our fight to eradicate American state-sponsored criminal organizations like NSA is that human rights activists around the world need to have a "refuge" from which they can do their work when it is outlawed in countries such as Bahrain, Egypt, Vietnam and others too numerous to mention (because the list has in the last decade grown to include almost all nations, as the US and UK continue to move closer and closer to China and Russia in respect to their disregard for the rights of private citizens.

One last point about the IOB reports: they show that NSA is making much of its difficult task in distinguishing between USPs (who it claims to regard as enjoying "strong protections" against privacy intrusions) and everyone else (whom, it has acknowledged, are not regarded as enjoying any protections whatever from NSA intrusions and other illicit acts). Hence the motivation for NSA's ongoing battle to eradicate privacy protections for USPs. I feel that every living person has an interest in the political struggle to ensure that the international law moves in the opposite direction, by insisting that dragnet surveillance leading to privacy violations such as those committed worldwide by NSA, is everywhere and forever illegal, period, full stop. The UN Commission on Human Rights appears to agree that privacy is a fundamental human right. I find it appalling that this view is regarded as "dangerous radicalism" by the USG.

Please I have a question. What's the difference between accessing Facebook over Tor and accessing Facebook's hidden service? From what I get, hidden services tend to protect publishing; protection of privacy and anti-censorship of the viewer are reasonably guaranteed by appropriate use of Tor. And given the 'announcement' and subsequent 'appraisal', I want to understand it well. What protection does Facebook need? and so whats the use of the hidden service?

Also, I admire arma and respect him/her so much. But in the post on https://blog.torproject.org/blog/facebook-hidden-services-and-https-cer…, where the writer cites the birthday paradox/attack, does not that tell us that the hash is insecure? And can be cracked? While I understand that it is the hash if a PUBLIC key, doesn't that mean it would not be long before someone figures out two public keys with same hash and then we would have some humor in the Tor community, if you get me?
Please I just want to learn. Thank you

I have the impression that Roger spends much of his time in private discussions with government officials, trying to persuade them not to declare Tor outright illegal. While I recognize the importance of such liaisons, I feel that the Project also needs to engage our friends in the mass media (they are not many, but they do exist) to try to counter the constant barrage of propaganda from the Surveillance Industrial complex which attempts to falsely tar all Tor users with the labels of "porn peddlers", "human traffickers", "narcotics traffickers", and "terrorists".

The recent tragedy in Paris is already being exploited by our enemies in a renewed media onslaught targeting Tor, PGP/GPG, and pro-democratic social forums. This media campaign is clearly intended to increase public support for proposals that Western governments should declare illegal the use of strong citizen cryptography, Tor, providers of encrypted email, phone, or chat services, and other democracy-promoting resources.

But the Tor community can use recent events to argue that the answer is not no Tor, or less legal Tor, but much more Tor. In particular, I think we can and should argue that these events show why satirical publications such as The Onion, and blogs such as Emptywheel which frequently criticize powerful state institutions, and maybe even "mainstream" news outlets such as CNN, even academic discussions of politically sensitive subjects such as global warming, should transition to anonymous publication behind Tor hidden services.

Propaganda is dangerous. Our communities should not underestimate its ability to create a deeply entrenched anti-Tor mindset in the political leadership. As an example: I understand that several episodes of recent "cop dramas" broadcast in FVEY countries included statements (by a character) such as "90% of the web is hidden by Tor, which is used exclusively by criminals and terrorists" [sic]. This manifestly absurd claim appears to conflate the "Deep Web" with the "Dark Web", yet it is liable to be believed as literally true by many persons who lack experience in skeptical thinking, potentially including politicians who in the new year will be voting upon new laws giving even more arbitrary powers to the political police. One such false statement in a popular entertainment might be harmless, but hundreds such could easily lead to very widespread and severe misconceptions.

("Deep web": the content of all computers connected to networks which are connected somewhere sometime to the Internet-- for example emails in internal email servers operated by companies such as Sony. "Dark web": the content of websites provided to Tor users as a hidden service.)

I believe that "propaganda" is not an inappropriate term for how Tor and other democracy promoting tools are being portrayed by Hollywood and Fleet Street. Among the most significant disclosures in the recent Sony leaks was evidence of extensive "advice" from CIA to Hollywood concerning how American movies should reflect the current party line from the Surveillance state.

I think it is important that everyone in the Tor community understand how extensive and relentless is the assault by the State upon the rights of the citizen to privacy, freedom from unwarranted searches of our persons and our homes, freedom from governmental reprisals and oppression, and freedom of expression. Because the principal reason why Tor is so essential in the modern world is that it is one of the very few tools which can help maintain the balance between the powers of the State and the rights of the citizen.

A recent and particularly troubling example of the assault by the State upon grass roots organizations which seek to promote democracy has recently been reported by Riseup Networks. Before providing a link to that report, I would like to provide some background which may help to explain why the incident is significant for Tor users worldwide.

Well-informed persons have been warning for several years that Western governments are edging toward a policy of mass arrests for purposes of "preventative detention" of persons whom predictive analysis drawing upon Big Data resources has identified as allegedly posing a potential future danger to the State. From a recent interview of John Podesta, lead author of the recent report on Big Data:

"SPIEGEL: In your report on NSA and "big data" for President Obama, you describe the potential opportunities and threats of this technology. What dangers do you see of big data in the hands of a surveillance system like the NSA?
Podesta: I think about it more in the context of law enforcement. You begin to -- particularly with predictive analytics -- blur the line between the presumption of innocence and targeting individuals."

(The interviewer misspoke: in fact Podesta was explicitly forbidden to discuss NSA dragnet surveillance; the Podesta report discusses only the dangers posed by commercial companies such as lenders and health insurers who are using Big Data tools. Nevertheless this report is well worth reading for further background on the topics discussed here.)

A recent editorial in The Guardian sketches some of the dangers to democratic free societies which are posed by the increasing use of predictive analysis by frightened government officials seeking to identify in advance persons who allegedly pose potential future dangers to the State:

One fundamental problem with predictive analysis, when governments attempt to predict rare events, is that it can't possibly work. The mathematics of Bayes's rule shows clearly that in such cases, almost everyone flagged by predictive analytics is *innocent* of the algorithmically generated charge:

And even at such a social cost, the mathematics also shows that a substantial fraction of the tiny (tiny!) number of people who might really become dangerous in future will evade mass arrest dragnets powered by predictive analysis.

Such problems have not stopped the Surveillance industrial complex from enthusiastically marketing commercial "solutions" which use Big Data repositories to provide "threat ratings" in real time to police officers:

The first generation of such real time threat scoring policeware tools are crude, but it is clear that as widespread information sharing by governmental agencies and private companies becomes more extensive and intrusive, police officers will be provided in real time with more and more sensitive information about anyone they encounter during their workday. One of the more troubling possibilities is that they will not only know who posts comments critical of the police (unless the poster used Tor!), they may know our financial and medical histories, and even disciplinary records from our educational histories.

A civil rights lawyer recently pointed out in Techdirt that, contrary to repeated assurances by government officials in American court cases and congressional testimony that the RFPA and HIPAA acts "provide strong privacy protections" [sic] for the financial and medical records of US persons, these laws in fact contain very broad exceptions for law enforcement and "national security" agencies:

The declared interest of the security services in tracking medical history as well as social media postings is clear from a spate of recent news articles focusing on a particularly vulnerable minority group:

The interest of the police in disciplinary incidents which can often be found in educational records is clear from the demands the Surveillance state is making upon social media providers. These demands raise the troubling possibility (discussed in another context in the Podesta report) that large numbers of children might be flagged early in life as "potential terrorists" simply because they talked back to a teacher, or were caught smoking in the halls:

Labeling a child as a "potential future terrorist" seems unlikely to help assure that a young person will enjoy equal opportunities in society. The Podesta report offers a clear discussion of the danger that Big Data may be misused by the private sector to create a new Jim Crow; this danger is even more severe when Big Data is misused by the State. And the eagerness of the security services to screen kindergartners reveals what they are really thinking when they cry "think of the children!"

Some people have long been under suspicion simply because they belong to a minority group suspected by paranoid government officials of posing a potential danger to the State. Last year, the newly elected mayor of NYC Bill Blasio, forced NYPD to finally shut down the notorious Muslim Unit founded a decade ago by a controversial secret police operative with ties to Israeli intelligence, David Cohen. This unit spied upon Muslim citizens in the greater New York area for many years simply because of their religious affiliation. Its activities ranged from bugging mosques to mapping eateries owned by Muslims. Unfortunately, the recent tragedy in Paris immediately led to calls from Cohen's many ardent supporters in the US press to start it up again:

In testimony given before Congress some years ago, Hayden hinted that NSA uses computer modeling in conjunction with predictive analytics in order to draw up "kill lists". The same method can potentially be used by national police organizations to draw up lists of persons to be rounded up in mass arrests):

Further, both Riseup and Tor communities are under increasingly virulent attack by misguided and increasingly authoritarian Western governments, by such means as propaganda, media campaigns, and if all else fails, by cyberattacks.

State-sponsored malware assaults targeting individual citizens have unfortunately long since moved from the hypothetical to the actual. One example where the FBI used a crude cyberattack to target a high school student, who had been accused by a source but against FBI had no evidence, is discussed here:

The global academic community is also slowly waking up to the severe danger to free expression which is posed by oppressive measures being enacted by governments all over the world, such as the demand that professors report students (and students report professors) who attempt to discuss politically provocative ideas in the classroom:

The Tor Project focuses on the technical rather than the political, yet by the very nature of its democracy-promoting aims, it is highly political in nature. This means both that it belongs to a constellation of organizations under continual attack by (seemingly) every national, provincial, and local government in the world, and also that it enjoys a natural alliance with other organizations which have similar goals of empowering ordinary citizens to become politically active in a constructive way.

Many activists around the world use Riseup Networks email accounts, or exchange information in mailing lists hosted by Riseup. This collective is so important for human rights, animal rights, ecological justice and social justice movements worldwide that the Tails version of Tor browser includes a link to Riseup email, on the assumption that anyone who uses Tails is likely to also use Riseup.

A recent incident in Spain which targeted the Riseup community clearly demonstrates that the issue of preventative detention by Western governments is not merely hypothetical. According to a statement from Riseup Networks:

"On Tuesday December 16th [2014], a large police operation took place in the Spanish State. Fourteen houses and social centers were raided in Barcelona, Sabadell, Manresa, and Madrid. Books, leaflets, computers were seized and eleven people were arrested and sent to the Audiencia Nacional, a special court handling issues of 'national interest', in Madrid. They are accused of incorporation, promotion, management, and membership of a terrorist organisation. However, lawyers for the defence denounce a lack of transparency, saying that their clients have had to make statements without knowing what they are accused of. '[They] speak of terrorism without specifying concrete criminal acts, or concrete individualized facts attributed to each of them'. When challenged on this, Judge Bermúdez responded: 'I am not investigating specific acts, I am investigating the organization, and the threat they might pose in the future'; making this yet another case of apparently preventative arrests."

Four of the detainees have been released, but seven have been jailed pending trial. The reasons given by the judge for their continued detention include the possession of certain books, 'the production of publications and forms of communication', and the fact that the defendants 'used emails with extreme security measures, such as the RISE UP server'"

In other words, simply using a Riseup email address is seen by some governments as grounds for suspicion or even mass arrests. We should stress once more: terrorism is very rare, so almost everyone placed in preventative detention on suspicion of possibly posing some future threat to the State will not in fact pose any such threat.

Political dissidents worldwide have been put on notice that Western "democratic" nations no longer provide a safe haven from which activists can work to promote human and civil rights in dangerous war-torn regions such as Syria. This has terrible implications for the future of democracy everywhere.

Who should use hidden services? Who should use strong cryptography to protect their communications? Who should worry about computer and operational security? Everyone! But some people more than others, such as satirists, journalists, and activists.

Many peaceful protest groups in the US which organize protest rallies, or even engage in civil disobedience stunts, like to claim that "we run an open organization", apparently acting on the theory that the First Amendment strongly protects them from police harassment or surveillance by the intelligence services. I believe that such attitudes, while possibly non unreasonable a decade ago, are now seriously outdated and are even becoming dangerous. In the very near future, Occupy protesters who are already at high risk of being named as "persons of interest" by companies like Cyveillance, Rook Security, or Wynard Group, simply because they have posted less than anonymous criticisms of Morgan Stanley, may become targets of hacking carried about by these same companies.

This fear is hardly a wild conspiracy theory. The websites of these companies offer strong hints about their intentions towards anyone who is perceived to threaten their clients' bottom line.

For example, Wynard Group boasts that "Wynard's powerful software platform combines big data, advanced crime analytics and trade-craft to identify persons of interest, stop offenders and protect victims." Given that Wynard has no arrest powers, and that the FBI is (by its own admission) ineffective at bringing perpetrators of cyberheists to justice, how does Wynard "stop offenders"? It is not hard to guess one likely answer, given that Wynard also boasts of hiring people with experience in state-sponsored hacking:

Wynard's CEO is a former marketing executive with Peregrine, Quest, Verity, and Autonomy, which may explain why this company has placed so much emphasis on high profile acquisitions for its Advisory Board, including:

At least one VP is another former FBI agent. Hiring former members of the security services is common practice; one of Wynard's competitors boasts that its workforce consists entirely of former NSA hackers. And I haven't even mentioned IronNet Security, founded by General "Collect-it-all" himself-- former DIRNSA and would-be multi-millionaire Keith Alexander.

Cyveillance's website says: "Through continuous, comprehensive Internet monitoring and sophisticated intelligence analysis, Cyveillance proactively identifies and eliminates threats to information, infrastructure, individuals and their interactions, enabling its customers to preserve their reputation, revenues, and customer trust... Cyveillance's technology is uniquely capable of scouring the entire Internet at high speed to locate, filter and prioritize company or institution-specific dialogue, offering clients the ability to quickly and proactively address potential issues such as negative comments about the corporation, a brand, or their service reputations." But in marketing brochures distributed in surveillance-industrial trade shows (some examples have been published at Wikileaks), they are more forthright about how they identify and surveil groups which might give rise to bad press about their clients, the big banks, chemical companies, and others.

And a recent story at Bloomberg News discusses hacking services touted by Rook Security:

"Rook Security, an Indianapolis-based firm known until recently as Rook Consulting, has clients stipulate in their contracts how far they are willing to let the company go in guarding their information. One of the services that Rook offers is stolen-data retrieval."

Hacking computers suspected of being used by hacktivists who stole some client corporations data today, tomorrow perhaps, hacking computers suspected of being used by suspected Occupy protesters. It is a slippery road, and "law enforcement" agencies appear to be doing little to discourage companies from rushing down this path.

The pen remains mightier than the sword, the baton, the flash-bang grenade and the Klash, maybe even mightier than the Bearcat and the Predator drone. This isn't about peaceful protest groups becoming less peaceful (although the security services always seem to think it is their duty do assume the worst), it's about ceasing to make yourself a ridiculously easy target for an increasing variety of increasingly lawless and ruthless adversaries. Who are often remote but no less dangerous for being located in another land.

Americans should remember that such figures as John Adams, Thomas Paine, Alexander Hamilton, and James Madison published their most important essays anonymously. They did not embrace anonymity because they were inherently dishonest or cowardly. They did it because they wrote to express provocative and even radical political views within a society which was deeply divided on many fundamental issues, and because they wrote in a time when a worrisome whiff of violence was in the air. Times not unlike our own. If his most Ungracious and Incompetent Majesty King Geo 3rd had been less unwilling to acknowledge that the rushing tide of history was washing away his ineffective and tyrannical rule like the ruined tea which mounded upon the shores of Boston harbor, that conflict might have been resolved by peaceful grant of "independancy".

Hi! There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.3.3.2-alpha from the usual place on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release some time in February.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

Tor 0.3.3.2-alpha is the second alpha in the 0.3.3.x series. It introduces a mechanism to handle the high loads that many relay operators have been reporting recently. It also fixes several bugs in older releases. If this new code proves reliable, we plan to backport it to older supported release series.

Changes in version 0.3.3.2-alpha - 2018-02-10

Major features (denial-of-service mitigation):

Give relays some defenses against the recent network overload. We start with three defenses (default parameters in parentheses). First: if a single client address makes too many concurrent connections (>100), hang up on further connections. Second: if a single client address makes circuits too quickly (more than 3 per second, with an allowed burst of 90) while also having too many connections open (3), refuse new create cells for the next while (1-2 hours). Third: if a client asks to establish a rendezvous point to you directly, ignore the request. These defenses can be manually controlled by new torrc options, but relays will also take guidance from consensus parameters, so there's no need to configure anything manually. Implements ticket 24902.

Major bugfixes (netflow padding):

Stop adding unneeded channel padding right after we finish flushing to a connection that has been trying to flush for many seconds. Instead, treat all partial or complete flushes as activity on the channel, which will defer the time until we need to add padding. This fix should resolve confusing and scary log messages like "Channel padding timeout scheduled 221453ms in the past." Fixes bug 22212; bugfix on 0.3.1.1-alpha.